GitHub says some accounts compromised in ‘reused password’ attack

GitHub has revealed that a number of users’ accounts have been accessed by an attacker reusing email addresses and passwords obtained from other compromised internet services.

The code-hosting platform, which claims millions of users around the world, revealed a series of “unauthorized attempts” to log into many accounts on GitHub.com on Tuesday evening. “This appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts,” explained Shawn Davenport, VP of Security at GitHub, in a blog post.

While Davenport was quick to stress that GitHub itself had not been hacked, he did concede that the attacker was successful in gaining entry to “a number” of GitHub accounts, though he didn’t specify how many.

There have been a number of high-profile “hacks” across the tech realm of late, perhaps the most notable being LinkedIn. The professional social network, which was acquired by Microsoft for $26.2 billion this week, hit the headlines last month after it reset passwords on millions of accounts as new data-leak reports began to surface. The compromised account details reportedly stemmed from a leak dating all the way back to 2012 when 6.5 million passwords were pulled from the social network, with the account credentials put up for sale on the “dark web” four years later. Facebook CEO Mark Zuckerberg’s Twitter and Pinterest accounts were subsequently hacked, an event blamed on the LinkedIn password dump.

GitHub likely doesn’t know the origins of the passwords and email addresses used to compromise the accounts in question on GitHub.com, but the incident does serve as a stark reminder that reusing the same password across multiple online services is never a good idea.

GitHub says that it will be sending notifications to the individuals affected explaining how they can reset and restore access to their accounts. Davenport also has a dose of good advice to mete out: “We encourage all users to practice good password hygiene and enable two-factor authentication to protect your account,” he said.